OWASP Top 10 Threats and Mitigations Exam

From OWASP
Revision as of 07:49, 28 January 2011 by Jason Taylor (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Course Title: OWASP Top 10 Threats and Mitigation
Exam Questions



Which of the following can be caused by an injection attack?

  1. Spoofing
  2. Data loss (Correct)
  3. Denial of service (Correct)
  4. Insecure direct object references


Which threat can occur in languages that do not support a clear distinction between code and data?

  1. Injection (Correct)
  2. Insecure direct object references
  3. Failure to restrict URL access
  4. Insufficient transport layer protection


Which of the following scenarios can lead to an injection attack?

  1. Unvalidated input is embedded in an instruction stream. (Correct)
  2. Unvalidated input cannot be distinguished from valid instructions. (Correct)
  3. A Web application does not validate a client’s access to a resource.
  4. A Web action performs an operation on behalf of the user without checking a shared secret.


Which threat is your Web application susceptible to if a user can pass specially crafted input that invokes semantic control codes?

  1. Injection (Correct)
  2. Insecure direct object references
  3. Failure to restrict URL access
  4. Insufficient transport layer protection


Which of the following techniques can be used to protect against injection attacks?

  1. Input validation (Correct)
  2. Allow list (Correct)
  3. Escaping (Correct)
  4. Memory size checks
  5. Validate integer values before referencing arrays



Which of the following components are vulnerable to injection attacks?

  1. Control constructs
  2. Registry keys
  3. Regular expressions (Correct)
  4. SQL queries based on user input (Correct)


Which control construct can be used to perform an SQL injection attack?

  1. Single quote (') (Correct)
  2. Null (\0) byte
  3. Less than sign(<)
  4. Greater than sign(>)


Which two mitigation techniques when used in combination can help you strictly define valid input?

  1. Allow list (Correct)
  2. Block list (Correct)
  3. Table indirection
  4. Escaping


Which of the following are architecture-level techniques used to prevent attacks based on malicious input?

  1. Allow list
  2. Table indirection (Correct)
  3. Escaping
  4. Object class for user input (Correct)


Which mitigation technique helps you tell the parser that a specific character is a literal and not a control character?

  1. Table indirection
  2. Allow list
  3. Escaping (Correct)
  4. Block list


State whether the following statement is True or False.

You should use a blacklist wherever possible; use whitelists only as a secondary defense.

  1. True
  2. False (Correct)


Which mitigation technique helps you define disallowed inputs?

  1. Allow list
  2. Block list (Correct)
  3. Table indirection
  4. Escaping


Which threat is caused by an injection attack into a browser?

  1. Cross-site scripting (Correct)
  2. Cross-site request forgery
  3. Insecure direct object references
  4. Broken authentication and session management


Which of the following languages are the primary targets of cross-site scripting?

  1. HTML (Correct)
  2. SQL
  3. XSLT
  4. JavaScript (Correct)


Which type of attack occurs when a malicious user convinces a victim to send a request containing malicious input to a server?

  1. Reflected XSS (Correct)
  2. Persistent XSS
  3. Insecure direct object references
  4. Failure to restrict URL access


What should you do to prevent a DOM-based XSS attack?

  1. Set the HttpOnly flag in cookies
  2. Ensure that session IDs are not exposed in a URL
  3. Ensure that a different nonce is created for each request
  4. Validate any input that comes from another Web site (Correct)


How does malicious input flow in a DOM-based XSS?

  1. From server to client
  2. From client to itself (Correct)
  3. From attacker to server (M1_T3_P3)
  4. From victim to server (M1_T3_P2)


Which of the following techniques should you use to prevent malicious input?

  1. Allow List (Correct)
  2. Block list (Correct)
  3. Escaping (Correct)
  4. Encryption
  5. Table indirection


You should set the HttpOnly flag in a cookie to ensure that:

  1. The cookie is not available to client scripts (Correct)
  2. The cookie is deleted when the user closes the browser
  3. The cookie is sent over an encrypted channel
  4. The cookie is a persistent cookie


You should set a secure flag in a cookie to ensure that:

  1. The cookie is a persistent cookie.
  2. The cookie is not available to client script.
  3. The cookie is sent over an encrypted channel. (Correct)
  4. The cookie is deleted when the user closes the browser.


Which type of attack occurs when an attacker submits data to the server and the data is stored on the server?

  1. DOM-based XSS
  2. Reflected XSS
  3. Persistent XSS (Correct)
  4. Cross-site request forgery


Which of the following input sources can be controlled by a malicious user?

  1. Window.location (Correct)
  2. GET/POST parameters (Correct)
  3. Server configuration files
  4. Ports and network resources


Which of the following scenarios may result in broken authentication and session management vulnerabilities?

  1. Poorly implemented custom code is used. (Correct)
  2. Misconfigured off-the-shelf code is used. (Correct)
  3. Unvalidated input cannot be distinguished from valid instructions.
  4. Unvalidated input is embedded in an instruction stream.


Which of the following actions should you take before implementing a custom authentication and session management system?

  1. Find out if a suitable framework component already exists. (Correct)
  2. Find out if you can use a small extension to an existing component to implement the system. (Correct)
  3. Find out if form variables are available to store data.
  4. Find out if you need to use session-based indirection.


State whether the following statement is True or False.

When implementing an authentication or session system, you should ensure that new session IDs are not created at login.

  1. True
  2. False (Correct)


Which of the following functionalities should you include in an authentication and session management system?

  1. Logout functionality (Correct)
  2. Inactivity timeout functionality (Correct)
  3. Escaping functionality
  4. Forwarding system functionality


Why should you use CAPTCHA?

  1. To create cryptographically random session IDs
  2. To protect credentials by using encryption or cryptographic salt and hash
  3. To protect authentication systems from automated or brute-force attacks (Correct)
  4. To ensure that authentication systems implement inactivity timeout functionality


What should you do before passing credentials over the network?

  1. Replace the credentials with a cryptographic salt and hash (Correct)
  2. Accept session IDs from URLs
  3. Share the credentials with the client.
  4. Use persistent cookies to manage session IDs.


Which location should you ideally use to store a session ID?

  1. URLs
  2. Form variables
  3. Persistent cookies
  4. Non-persistent cookies (Correct)


What should you do to ensure that JavaScript cannot be used to access a cookie?

  1. Set the secure flag in the cookie
  2. Set the HttpOnly flag in the cookie (Correct)
  3. Use the CAPTCHA system
  4. Use non-persistent cookies


Which of the following are authentication system mandatory requirements?

  1. Strong passwords are required. (Correct)
  2. Use a GOTCHA to prevent automated attacks.
  3. User logout and session inactivity are required. (Correct)
  4. Session IDs are only accepted from cookies and parameter variables.
  5. Credentials are always protected with encryption or cryptographic salting and hashing. (Correct)


Which of the following are requirements for an authentication token?

  1. It should identify returning users to the site
  2. It should be used as a replacement for a user's credentials (Correct)
  3. It should always use a persistent cookie
  4. It should always use a non-persistent cookie (Correct)


State whether the following statement is True or False.

An identification token is a replacement for a user’s credentials and should allow access to restricted resources of a Web site.

  1. True
  2. False (Correct)


Which of the following tasks are performed by a session-based system?

  1. Identifying returning users (Correct)
  2. Providing access to restricted resources (Correct)
  3. Using the HTTP protocol
  4. Sending successful logins to a well-known location


Which threat can occur when a Web application fails to validate a client's access to a resource?

  1. Injection
  2. Cross-site scripting
  3. Insecure direct object reference (Correct)
  4. Cross-site request forgery


Which of the following objects are susceptible to an insecure direct object reference attack?

  1. Files (Correct)
  2. Registry keys (Correct)
  3. Conditional constructs
  4. GET/POST parameters


Which of the following vulnerabilities may be caused by an insecure direct object reference attack?

  1. Executing commands on the server.
  2. Impersonating any user on the system.
  3. Modifying SQL data pointed to by the query.
  4. Modifying data without authorization. (Correct)
  5. Accessing a resource without authorization. (Correct)


What should you do to mitigate the threat of an insecure direct object reference attack?

  1. Use session-based indirection. (Correct)
  2. Use POST parameters instead of GET parameters.
  3. Perform an access check each time a resource identifier arrives as input. (Correct)
  4. Send successful logins to a well-known location instead of automatic redirection.


State whether the following statement is True or False.

Time of Check Time of Use (TOCTOU) occurs if the authorization check is performed on one page of a Web site and the resource is used on a different page.

  1. True (Correct)
  2. False


Your Web application stores information about many accounts. Which threat is your Web application susceptible to if you can manipulate the URL of an account page to access all accounts?

  1. Cross-site request forgery
  2. Insecure direct object reference (Correct)
  3. Cross-site scripting
  4. Injection


Which of the following threats are caused by poor input validation?

  1. Injection (Correct)
  2. Cross-site scripting (Correct)
  3. Insecure direct object reference (Correct)
  4. Insecure cryptographic storage
  5. Insufficient transport layer protection


Which threat can occur when a POST parameter performs an operation on behalf of a user without checking a shared secret?

  1. Cross-site request forgery (Correct)
  2. Insecure direct object reference
  3. Cross-site scripting
  4. Injection


Which of the following are the results of a cross-site request forgery?

  1. Elevation of privilege (Correct)
  2. Denial of service (Correct)
  3. Spoofing and tampering (Correct)
  4. Enabling of IPSec
  5. Misconfigured or disabled security features


Which of the following attacks can occur when a malicious user lures victims to malicious content on a Web site?

  1. Injection
  2. Cross-site scripting
  3. Insecure direct object reference
  4. Cross-site request forgery (Correct)


State whether the following statement is True or False.

The downside of a nonce is that it needs to be stored on the client.

  1. True
  2. False (Correct)


What should you add to an HMAC to ensure that the secret value is unique for each request?

  1. Salt
  2. Nonce
  3. Session ID
  4. Timestamp(Correct)


Which of the following practices should you observe in order to implement defense-in-depth techniques against CSRF attacks?

  1. Use GET parameters
  2. Use automatic redirection.
  3. Don’t include secrets in the URL. (Correct)
  4. Resubmit POST parameters during redirection.


State whether the following statement is True or False.

GET parameters limit the types of manipulation a malicious user can perform on the victim to forge a request.

  1. True
  2. False (Correct)


Which of the following may cause a security misconfiguration threat?

  1. Unused services (Correct)
  2. Default accounts (Correct)
  3. Bad cryptography
  4. Unsafe key storage


You have not yet applied some recent service packs and updates to your Web application. Which of the following threats is your Web server susceptible to?

  1. Injection
  2. Security misconfiguration (Correct)
  3. Insecure cryptographic storage
  4. Cross-site request forgery



Which of the following actions should you take to reevaluate your environment and address new threats?

  1. Add or remove network segments (Correct)
  2. Apply the latest service packs, patches, hotfixes, and updates (Correct)
  3. Use custom cryptographic algorithms
  4. Use your browser to forge unauthorized requests


Which of the following procedures are involved in the hardening process?

  1. Disable unnecessary features. (Correct)
  2. Review all settings/configurations. (Correct)
  3. Repeat the process at random intervals.
  4. Update the environment with changes only when needed.


Which of the following consequences can occur if your production environment does not match your development, testing, and staging environments?

  1. Your application may not work. (Correct)
  2. Your application may not perform some authentication checks (Correct).
  3. Your application may elevate privileges.
  4. Your application may deny service.


Which of the following can cause insecure cryptography?

  1. Unsalted hash (Correct)
  2. Unused services
  3. Default accounts
  4. Failure to rotate keys (Correct)


Which of the following can lead to bad cryptography?

  1. Custom cryptographic algorithms (Correct)
  2. Insufficient cryptographic protocols (Correct)
  3. New products
  4. Missing patches


Which of the following may result in cryptographic weakness?

  1. Poor/weak algorithm choice (Correct)
  2. Custom cryptographic algorithms (Correct)
  3. Insufficient cryptographic protocols (Correct)
  4. Missing patches
  5. Unnecessary/unused services or features


Which of the following protocols are network encryption protocols?

  1. SSL (Correct)
  2. EFS
  3. IPSec (Correct)
  4. Kerberos


Which of the following factors help you secure keys?

  1. Complexity (Correct)
  2. Rotation (Correct)
  3. Randomness (Correct)
  4. Encryption


Which of the following combines public-key cryptography with a cryptographic hash?

  1. Nonce
  2. Digital signature (Correct)
  3. SSL
  4. Salt


Which of the following depicts the typical impact of failure to restrict URL access?

  1. Attackers access other users’ accounts and data. (Correct)
  2. Attackers impersonate any user on the system.
  3. Attackers invoke functions and services they have no authorization for. (Correct)
  4. Attackers perform all actions that the victims themselves have permission to perform.


When users log on to your Web site, they are directed to a page with a URL that authorizes them using their role. Which threat is your Web application susceptible to if users can modify their role?

  1. Injection
  2. Cross-site scripting
  3. Failure to restrict URL access (Correct)
  4. Unvalidated redirects and forwards


Which of the following actions should you take to verify the implementation of your Web application?

  1. Use policy mechanisms
  2. Use a simple and positive model at every layer
  3. Verify that each URL in your application is protected. (Correct)
  4. Use your browser to forge unauthorized requests (Correct)


Which of the following should you use to protect the connections between the physical tiers of your application?

  1. EFS
  2. SSL (Correct)
  3. IPSec (Correct)
  4. Kerberos


Which of the following actions should you take to implement transport layer protection?

  1. Install IDS
  2. Enable SSL(Correct)
  3. Set the HttpOnly flag on session ID cookies
  4. Enable IPSec (Correct)



Which of the following can result from unvalidated redirects and forwards?

  1. Brute force attack
  2. Network sniffing
  3. Man-in-the-middle attack
  4. Bypassed authorization checks (Correct)


Which of the following actions should you take to protect a Web application from unvalidated redirects and forwards?

  1. Validate the referrer header (Correct)
  2. Use extended validation certificates
  3. Validate all input from the client (Correct)
  4. Disallow requests to unauthorized file types


Which of the following actions should you take to detect unvalidated redirects and forwards?

  1. Use internal transfers without authorizing the user for target URL
  2. Use your browser to forge unauthorized requests
  3. Use weblogs to identify redirects and forwards (Correct)
  4. Use policy mechanisms


What should you do to prevent security issues if a user submits some data to your Web application?

  1. Validate the data. (Correct)
  2. Use session-based indirection.
  3. Use POST parameters.
  4. Set the secure flags in cookies.




State whether the following statement is True or False.

If the input can be confused for instructions in the language or the way the language is applied, then the language is vulnerable to the cross-site request forgery attack.

  1. True
  2. False (Correct)


In which of the following scenarios should you use the escaping technique?

  1. When user input is echoed back to the user in HTML (Correct)
  2. When you need to validate any input as valid input
  3. When you are trying to protect against regular expression injection
  4. When you need to tell the interpreter that input is data and not code (Correct)



What should you do to prevent unvalidated redirect and forwards vulnerabilities?

  1. Use table indirection (Correct)
  2. Use an allow list
  3. Allow only relative redirects (Correct)
  4. Use session-based indirection